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The ctr\ protocol given by Barbosa et ah, PRL 90, 227901 (2003) claims to be a secure way of 
encrypting messages using mesoscopic coherent states. We show that transmission under 
arj exposes information about the secret key to an eavesdropper, and we estimate the rate 
at which an eavesdropper can learn about the key. We also consider the consequences of 
using further randomization to protect the key and how our analysis applies to this case. 
We conclude that arj is not informationally secure. 
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Encryption of sensitive data is an ubiquitous problem in military, commercial, and even per- 
sonal communications. Quantum mechanics can be used to solve this problem by generating 
a key that can be proven to be unconditionally secure via the BB84 protocol (e.g., |1]); this key 
can then be securely used in a one-time pad. However, BB84 is difficult to implement and has 
relatively low bit rates compared to current data transmission rates [2]. To combat these disad- 
vantages, another quantum encryption scheme which can send encrypted data at very high rates 
and which is easily implemented has been proposed in [3]. This protocol is often called the arj 
protocol or the Y — 00 protocol and purports to draw its security from confusing an eavesdropper 
Eve by using the uncertainty on any measurement she can make. 

The arj protocol has not been shown to be unconditionally secure as has BB84; indeed, the 
attack given in [4] (see also [5]) shows that at best the security of arj must be complexity-based, 
as are current classical ciphers. In this paper, we show that arj has an additional disadvantage 
that current classical ciphers do not have: transmission of the "encrypted" states actually leaks 
information about the key to an eavesdropper, even if that eavesdropper has no information about 
the message. Such a weakness has been independently described briefly in [6], and in more depth 
in |7|] and [8fl; here, we calculate information loss and estimate a bound on the efficacy of explicit 
attacks such as [7]. In the remainder of this paper, we will describe the aij scheme, show that 
in practice there is no advantage created for Bob over Eve via quantum limits on measurement, 
and estimate how much information Eve can learn about the key from Alice's transmission. We 
will also discuss a technique given in [9] and [6], Deliberate Signal Randomization, and how our 
analysis applies there. 

In the aij protocol, the symbols transmitted from Alice to Bob are physically encoded as meso- 
scopic coherent states (mean photon numbers N ~ 10 — 10 5 ) of varying phase or polarization. 
Without loss of generality, we will consider the states to have the same polarization and ampli- 
tude, and varying phase. We will take the number of symbols to be M, and the code states to be 
\ a U)) = \e 2m ^ M y/N), where j G {0, . . . M — 1}. The states to be sent are selected by the following 
technique: 

1. Starting with a key K of size L bits, use a pseudo-random number generator to produce 
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a running key R. In order to send a message of size Q bits, Qlog(M/2) bits of R must be 
computed. 

2. Take log(M/2) bits of R, k q e {0, . . . Af/2 - 1}. Take one bit of message, b q e {0, 1}. 

3. Compute j q = ((fc g mod2) © b q )M/2 + kg. Alice sends the corresponding state \a(j q )). This 
may be interpreted as a "basis" of k q , which corresponds to an angle within a half-circle, 
and a "signal" of (fc 9 mod2) © 6 g which determines whether the upper or lower half-circle is 
used. 

4. Repeat steps 2 and 3 using successive bits of the message and strings of the running key, 
until the entire message has been sent (a total of Q times). 

Note that knowledge of {j q } unambiguously determines the message bits {b q }, regardless of the 
key. The protocol relies upon the condition that the code states are not perfectly distinguishable 
for any physical receiver. This can be guaranteed if Mf VN is sufficiently large because the quan- 
tum states of neighboring symbols will have high overlap. 

There is much discussion in the literature of "advantage creation." The principle of this is 
that if the intended receiver, Bob, knows the secret key, then he can do an optimal measurement 
to distinguish the two possible states Alice may send (depending on the message bit). An eaves- 
dropper, Eve, who does not know the key, must discriminate more possible states, and hence must 
perform a different measurement. This measurement will be non-optimal at distinguishing the 
two states which may actually be sent, and therefore it is claimed that Eve will necessarily have a 
higher bit-error rate than Bob. However, this comparison is fair only if Bob and Eve are both given 
a signal with equal amplitude. In practice, if Bob is receiving a signal which has been attenuated 
by more than 3dB, or has been put through an amplifier (amplifiers reduce signal to noise by at 
least 3dB), then it is possible that Eve has received more signal than Bob. Furthermore, the opti- 
mal measurement that Bob could perform (the Dolinar receiver [10]) has not been experimentally 
demonstrated, although work on this is pending [11], so instead it is proposed that Bob perform a 
homodyne measurement (where the local oscillator phase is determined by the running key). For 
a given signal strength, however, homodyne has only a weak advantage over the demonstrated 
adaptive-phase technique (see [12]), and only a 3dB advantage over the commonplace heterodyne 
measurement. That is, if the attenuation factor is more than 2/3 (more than 5dB loss), then it is 
possible that Eve has twice the signal that Bob has, and even if she only performs heterodyne, 
she actually has a measurement advantage over Bob (assuming he does homodyne). We therefore 
believe that for practical implementations, Bob will not have a measurement advantage over Eve, 
and the quantum aspects of the problem can be modeled by a classical system with appropriate 
noise. 

We will treat the system classically by assuming that Alice computes j q , then sends 



Here w q is a gaussian-distributed random variable, with mean zero and standard deviation a > 
Mj (A7ry/N). The equality is held for an ideal phase measurement with unit efficiency. Imperfect 
detection and loss will introduce an attenuation r] of the signal, such that 



?q = Uq + w q )modM. 



(1) 




(2) 



For example, if in the path from Alice to Bob the beam goes through a long fiber with lOdB 
of attenuation, and then is detected by heterodyne with 80% quantum efficiency, then r\Bob = 
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f1ioss r lhet r lq.e. = (0. 1) (0.5) (0.8) = 0.04. The approximation of gaussian distributed phase noise is 
good for r/N 3> 1. We will assume that the w g "sent" to Bob and Eve are uncorrelated. 

Here is a brief derivation of the formula for a given in Eq. [2j The light pulse which encodes 
each symbol is in a mode with annihilation operator a. We define quadrature components = 
e^a) + e~ l< ^a, P$ = i(e*^a' — e~ % ^a). These operators have the commutation relation [Q^, P^] = 2i. 
A coherent state has minimum uncertainty on the quadratures, and thus has (AQ^) = (AP|) = 
1. For coherent states with amplitude large compared to unity a phase measurement can be 
approximated as a measurement of a quadrature which is it/ 2 with respect to the coherent state 
amplitude. That is, for a coherent state \e ld yN), we pick quadratures Qe,Pg, and measure Pg. Our 
estimate of the phase is given by 9' = 9 + P' e / (Q$ ) , where P' e is the result of our measurement. Our 
estimator 9' is unbiased and minimum variance in the limit of N S> 1. Notice that we have used a 
tan(x) = x approximation, and that we would have to know both the phase and amplitude of the 
state in advance in order to actually do this ideal measurement on a single state. The variance of 9' 
is given by (Pg) /(Qe) 2 = 1 /(4A0- Therefore the standard deviation of f = 9'M/2n is M/(4itVn). 

It is claimed that the a-q scheme is secure when u » 1, because then Eve cannot accurately 
infer j q from j' q . The claim is that Eve will estimate the message bit as 

bf = (j>od2) © (#nody). 

This estimate will have a very high error rate because jgmod2 has a very low correlation with 
j g mod2 due to the noise term. Meanwhile, it is claimed Bob will have a low error rate because he 
will use his knowledge of k q to compute 

x , = f if \k q - j' q \ < M/A or\k q - j' q \ > 3M/4 j 
' 1 otherwise J 



That is, x' q is zero when f is in the same half-plane as k q , and one when it is in the other half-plane. 

Bob will then estimate the message as b q Bob ^ = x q © (A; g mod2), which will have a low error rate if 

u <S M. 

However, the claims of security do not consider that the record of all of the measurements {j' q } 
do give some information on {j q }, from which Eve can obtain information on {kq], and ultimately 
on K. Once Eve knows K, she can then compute all {kq], and hence can decrypt in the same way 
as Bob. 

We will now estimate the information gain on j q from a measurement j', in the limit M>(7> 
1 (the limit where it is claimed there is good security against Eve and a low error rate for Bob). 
The initial entropy on j q before the measurement is Hq, which we will take as 

M-l 

H o = ~Yl Pm^g{p m ) = log(M). (4) 

m=0 

We have assumed no prior knowledge of the symbol, i.e. uniform probabilities p m = l/M for all 
M. Without loss of generality, we will take the actual symbol prepared by Alice to be j q = M/2. 
Then Eve's probabilities for the symbol are 

1 p+i/2 f ( X -M.f\ r 1 



Pm * L y , exp 1 ) dx w ^ exp 1 — ^ 1 • (5) 




Then the entropy after the measurement is 

f M 1 ( (m- 

L 2^ 2 ) \ ~^—'> 2a 2 



Hi « - / M ^=exp (- {m n P \ f-log(a^F) - { — n ff log(e) ) dm 



(6) 
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Therefore, the information gained is 




lh, - //] = loo(— _) - l o ( ^/%AT) „ ilog(r/iV) + 1.6 (7) 



bits for each symbol that Eve measures. This is the information gained on j q ; the information 
gained on k q is approximately 1 bit less, because the message bit obscures 1 bit of the running key 
per symbol. Since K and all {k q } are deterministically related, in principle information on k q can 

be converted to information on K. We therefore take U = log(<J ^-niV) as an upper bound on 
Eve's information on K per measured symbol. 

We expect Eve's information to grow linearly with the number of symbols because the use of a 
pseudo-random number generator implies that values of K which have similar values of k q will 
have uncorrelated values of k s for s ^ q. In other words, the pseudo-random number generator 
will redistribute Eve's prior probabilities back to the flat distribution for each new symbol. This 
approximation will of course break down when the Eve's entropy on K is low, such that her en- 
tropy on the key will only asymptotically approach zero as the number of symbols goes to infinity. 
In this latter limit, the prior probabilities will be strongly peaked, and additional measurements 
of k q will provide little additional information on K. Eve's entropy on the key will transition 
from linear decline to asymptotic decay after measuring approximately no = L/U symbols, by 
analogy to the unicity distance [13] of a classical deterministic cipher used to encode a redundant 
(reduced entropy) message. We note that this unicity distance is very similar to the unicity bound 
calculated in |fjy. 

We estimate from our unicity bound that Eve may have enough information to determine the 
key with high probability when Q ^> uq. Let us take an example by considering the experimental 



demonstration of arj given in |14i| . In that demonstration, Alice and Bob share a key K with 
L = 4400 bits, and Alice sends states with N = 40000 photons. Let us now assume that Eve detects 
with total efficiency w^ 6 ) = 0.1. Then for each symbol Alice sends, Eve gains about 7.6 bits of 
information, or about U ~ 6.6 bits of information about the key. Since each symbol transmits 1 bit 
of information to Bob, then we can see that if Alice sends much more than no = 4400/6.6 ~ 668 
bits to Bob, then Eve will have enough information to find the key, and hence decrypt all of 
messages that were sent with that key. 

It is important to note that in the above, we did not assume that Eve initially had any informa- 
tion on the message. This is not a plaintext attack; this weakness simply comes from the fact that 
the symbols {j q } contain information on the key which is not totally obscured by the noise. 

For comparison, let us consider a simple additive streaming cipher. We will define this cipher 
by the following procedure: 

1. Starting with a key K, use a pseudo-random number generator to produce a running key 
R. In order to send a message of size Q bits, Q bits of R must be computed. 

2. Take one bit of R, k q G {0, 1}. Take one bit of message, b q E {0, 1}. 

3. Alice sends j q = k q ®b q over a noiseless channel. 

4. Repeat steps 2 and 3 on successive bits of the message and running key, until the entire 
message has been sent (a total of Q times). 

If Eve's entropy on the message is initially H Eve (message) = Q (no plaintext is known), then 
her entropy of the key does not decrease. Essentially, the key encrypts the data, and the data 
encrypts the key. On the other hand, if Eve starts with some knowledge of the message, she 
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can perform a known plaintext attack on the key which will succeed with high probability if 
Q - H Eve (message)) > L I12Q. That is, every bit of the message which is known to Eve can 
be used to reveal one bit of the key. The arj protocol has a similar property, in that if one bit 
of the message b q is known, then knowledge of j' can more effectively be used to find k q . We 
estimate that in the presence of known plaintext, Eve can determine K with high probability 
when Q(U + 1) — H Eve (message)) 3> L. Thus, from an information-theory standpoint, the arj 
protocol is worse than the simple additive stream cipher. 

Ref. 0] gives an explicit attack exploiting this leak in information security for linear feedback 
shift register (LFSR) based stream ciphers. Figure 6 of their paper graphs the minimal number of 
symbols needed for a successful attack, So, as a function of g = L, the number of bits about the 
generator that need to be learned. Our analysis simply gives 

So » f 

That is, the relationship between g and So is linear, which is roughly what @] finds in Figure 6. 
Using Eq.0 with a = 2y/i]N = 300, and subtracting a bit for information about the message gives 
the bound So S> g/7.8, to be compared with the numerical result of the attack employed in [@] 
of So ~ 40g. Of course, we are assuming optimal use of information, which is not necessarily 
achieved in a practical attack. 

It may be claimed that while ai] does not have security in the information theory sense, it may 
have complexity based security, in that it would take unreasonably large computational resources 
for Eve to convert her information on {j'} into information on K. An analysis of the computa- 
tional complexity of this task would depend on the choice of pseudo-random number generators, 
and is beyond the scope of this paper. 

Independently, a similar observation regarding the exposure of the key has been recently made 
by H. Yuen in [fi] (and see also [6] and 13]). In [alS]/ it is argued that a technique that is called 
Deliberate Signal Randomization (DSR) will serve to add information-theoretic security to the 
key. This technique simply involves Alice sending a random state in the half-plane around the 
state she would send under the non-DSR version given above. That is to say, equation Q} would 
become 

3q = tiq + w q + (3 q )modM, (8) 

where (5 q is a uniformly distributed random variable between —M/4 and M/4. 

Under such a system, it is true that Eve will not learn anything about the key, but at the expense 
of introducing error into the transmission when (3 q is close to —M/4 or M/4. (If the distribution 
on f3 q is truncated or otherwise changed to lessen the error, it should be clear how to modify the 
above calculation to show that information is still being given to Eve.) Ref. fl^ | calculates that 
this error would be about one percent. Now, the message could conceivably be encoded in an 
error-correcting code, or some low-entropy message, such as one in English, could be sent with 
this system, thus allowing correction of the errors by Bob. However, this introduces redundancy 
into the message, which decreases Eve's entropy on the message, which she can exploit to collect 
information about the key as above. We conclude that the use of DSR could conceivably lessen the 
breach of information-theoretic security, but that the ar/ scheme with DSR is still informationally 
insecure, and gives more information to an attacker than a simple classical additive stream cipher. 

It is clear that in order to avoid errors, or the redundancy necessitated by an error-correcting 
code, one should set the variance of w q in Eq. [8] to zero. In this case, where any measurement 
noise is negligible, it is possible to have good information-theoretic security. However, in terms of 
information this is equivalent to the simple additive streaming cipher described earlier. Although 
there are M possible symbols in the channel, precisely one bit is conveyed in each transmission 
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due to the random (3 term. The transmitted bit is computed from the message and the key. The 
exact nature of the computation is different, but the information contained is the same. 

An additional problem with DSR, also noted briefly in |gj, is that it introduces another source 
of randomness with a particular distribution that must be fed into the system at a very high data 
rate. This rather negates the spirit of the original proposal, which depended on the fast generation 
of randomness given by the measurement of a coherent state. Practically, as well, finding true 
random sources at high data rate is difficult, and using a pseudo-random number generator leads 
to information-theoretic exposure of the second generator by the same logic as that used above. 

Another advantage of arj stated in |@] is that it gains some security due to the physical nature 
of the states being sent: it may in practice be difficult to perform the measurements needed to 
eavesdrop on a channel with this encoding. However, since an effective eavesdropping strategy 
is to employ a heterodyne or dual-homodyne measurement, we do not see a great difference in 
the practical difficulty of eavesdropping from the difficulty of the legitimate receiver, or from the 
receiver of any coherent communication system. 

In conclusion, we have found that the ar] protocol does not have good information-theoretic 
security. While the information-theoretic security is not always the primary concern, we believe 
it is an important factor in the assessment of a cryptosystem. 
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